Код: Выделить всё
Feb 19 18:59:49 mail deliver(admin@artpaint.spb.ru): setgid(36385) failed with euid=26, egid=26: Operation not permitted
Feb 19 19:00:46 mail deliver(admin@artpaint.spb.ru): setgid(36385) failed with euid=26, egid=26: Operation not permitted
Feb 19 19:02:56 mail deliver(admin@artpaint.spb.ru): setgid(36385) failed with euid=26, egid=6: Operation not permitted
Feb 19 19:04:45 mail deliver(admin@artpaint.spb.ru): setgid(36385) failed with euid=26, egid=6: Operation not permitted
Feb 19 19:29:04 mail deliver(admin@artpaint.spb.ru): setgid(36385) failed with euid=26, egid=6: Operation not permitted
Feb 19 19:29:04 mail deliver(assistant@artpaint.spb.ru): setgid(36385) failed with euid=26, egid=6: Operation not permitted
Feb 19 19:30:25 mail deliver(admin@artpaint.spb.ru): setgid(36385) failed with euid=26, egid=6: Operation not permitted
gid 36385 - это группа users для все юзеров в лдапе:
Код: Выделить всё
[f0s@mail] /var/log/> id zainutdinova
uid=5020(zainutdinova) gid=36385(users) groups=36385(users), 14953(marketing)
Код: Выделить всё
dovecot_delivery:
driver = pipe
command = /usr/local/libexec/dovecot/deliver -d $local_part@$domain
message_prefix =
message_suffix =
delivery_date_add
envelope_to_add
return_path_add
log_output
user = mailnull
group = mail
вот конфиг dovecot.conf:
Код: Выделить всё
base_dir = /var/run/dovecot/
protocols = imaps
protocol imap {
ssl_listen = 192.168.10.8:10993
}
disable_plaintext_auth = yes
shutdown_clients = yes
##
## Logging
##
# Log file to use for error messages, instead of sending them to syslog.
# /dev/stderr can be used to log into stderr.
#log_path = /var/log/dovecot.log
# Log file to use for informational and debug messages.
# Default is the same as log_path.
#info_log_path =
# Prefix for each line written to log file. % codes are in strftime(3)
# format.
#log_timestamp = "%b %d %H:%M:%S "
syslog_facility = mail
##
## SSL settings
##
# Disable SSL/TLS support.
ssl_disable = no
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem
##
## Login processes
##
# <doc/wiki/LoginProcess.txt>
# Directory where authentication process places authentication UNIX sockets
# which login needs to be able to connect to. The sockets are created when
# running as root, so you don't have to worry about permissions. Note that
# everything in this directory is deleted when Dovecot is started.
login_dir = /var/run/dovecot/login
# chroot login process to the login_dir. Only reason not to do this is if you
# wish to run the whole Dovecot without roots. <doc/wiki/Rootless.txt>
login_chroot = yes
# User to use for the login process. Create a completely new user for this,
# and don't use it anywhere else. The user must also belong to a group where
# only it has access, it's used to control access for authentication process.
# Note that this user is NOT used to access mails. <doc/wiki/UserIds.txt>
login_user = dovecot
# Set max. process size in megabytes. If you don't use
# login_process_per_connection you might need to grow this.
login_process_size = 64
# Should each login be processed in it's own process (yes), or should one
# login process be allowed to process multiple connections (no)? Yes is more
# secure, espcially with SSL/TLS enabled. No is faster since there's no need
# to create processes all the time.
login_process_per_connection = yes
# Number of login processes to keep for listening new connections.
login_processes_count = 3
login_max_processes_count = 64
# Greeting message for clients.
login_greeting = Microsoft Exchange Server
# Space-separated list of elements we want to log. The elements which have
# a non-empty variable value are joined together to form a comma-separated
# string.
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l %c
# Login log format. %$ contains login_log_format_elements string, %s contains
# the data we want to log.
login_log_format = %$: %s
##
## Mailbox locations and namespaces
##
# Location for users' mailboxes. This is the same as the old default_mail_env
# setting. The default is empty, which means that Dovecot tries to find the
# mailboxes automatically. This won't work if the user doesn't have any mail
# yet, so you should explicitly tell Dovecot the full location.
# There are a few special variables you can use, eg.:
#
# %u - username
# %n - user part in user@domain, same as %u if there's no domain
# %d - domain part in user@domain, empty if there's no domain
# %h - home directory
#
# See doc/wiki/Variables.txt for full list. Some examples:
#
# mail_location = maildir:~/Maildir
# mail_location = mbox:~/mail:INBOX=/var/mail/%u
# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
#
# <doc/wiki/MailLocation.txt>
#
mail_location = maildir:/mail/%u
mail_extra_groups = mail
verbose_proctitle = yes
# Valid UID range for users, defaults to 500 and above. This is mostly
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
first_valid_uid = 25
# Valid GID range for users, defaults to non-root/wheel. Users having
# non-valid GID as primary group ID aren't allowed to log in. If user
# belongs to supplementary groups with non-valid GIDs, those groups are
# not set.
first_valid_gid = 0
##
## IMAP specific settings
##
protocol imap {
imap_client_workarounds = delay-newmail outlook-idle netscape-eoh tb-extra-mailbox-sep
}
##
## POP3 specific settings
##
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
##
## LDA specific settings
##
protocol lda {
# Address to use when sending rejection mails.
postmaster_address = admin@artpaint.spb.ru
# Binary to use for sending mails.
sendmail_path = /usr/sbin/sendmail
# UNIX socket path to master authentication server to find users.
auth_socket_path = /var/run/dovecot/auth-master
}
auth default {
mechanisms = plain
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0600
user = mailnull
group = mail
}
}
# LDAP database <doc/wiki/AuthDatabase.LDAP.txt>
passdb ldap {
args = /usr/local/etc/dovecot-ldap.conf
}
# LDAP database <doc/wiki/AuthDatabase.LDAP.txt>
userdb ldap {
args = /usr/local/etc/dovecot-ldap.conf
}
user = root
}
##
## Dictionary server settings
##
dict {
}
##
## Plugin settings
##
plugin {
}
и вот dovecot-ldap.conf:
Код: Выделить всё
hosts = 127.0.0.1:389
# Distinguished Name - the username used to login to the LDAP server
dn = cn=root,dc=artpaint,dc=spb,dc=ru
# Password for LDAP server
dnpass = secret
# Use authentication binding for verifying password's validity. This works by
# logging into LDAP server using the username and password given by client.
# The pass_filter is used to find the DN for the user. Note that the pass_attrs
# is still used, only the password field is ignored in it. Before doing any
# search, the binding is switched back to the default DN.
auth_bind = yes
# If authentication binding is used, you can save one LDAP request per login
# if users' DN can be specified with a common template. The template can use
# the standard %variables (see user_filter). Note that you can't
# use any pass_attrs if you use this setting.
#
# If you use this setting, it's a good idea to use a different
# dovecot-ldap.conf for userdb (it can even be a symlink, just as long as the
# filename is different in userdb's args). That way one connection is used only
# for LDAP binds and another connection is used for user lookups. Otherwise
# the binding is changed to the default DN before each user lookup.
#
# For example:
# auth_bind_userdn = cn=%u,ou=people,o=org
#
#auth_bind_userdn =
# LDAP protocol version to use. Likely 2 or 3.
ldap_version = 3
# LDAP base. %variables can be used here.
base = dc=artpaint,dc=spb,dc=ru
# Dereference: never, searching, finding, always
#deref = never
# Search scope: base, onelevel, subtree
scope = subtree
# User attributes are given in LDAP-name=dovecot-internal-name list. The
# internal names are:
# uid - System UID
# gid - System GID
# home - Home directory
# mail - Mail location
#
# There are also other special fields which can be returned, see
# http://wiki.dovecot.org/UserDatabase/ExtraFields
user_attrs = uidNumber=uid,gidNumber=gid,homeDirectory=home
# Filter for user lookup. Some variables can be used (see
# http://wiki.dovecot.org/Variables for full list):
# %u - username
# %n - user part in user@domain, same as %u if there's no domain
# %d - domain part in user@domain, empty if user there's no domain
user_filter = (&(objectClass=dbmailUser)(mail=%n@%d))
# Password checking attributes:
# user: Virtual user name (user@domain), if you wish to change the
# user-given username to something else
# password: Password, may optionally start with {type}, eg. {crypt}
# There are also other special fields which can be returned, see
# http://wiki.dovecot.org/PasswordDatabase/ExtraFields
pass_attrs = mail=user,userPassword=password
# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
# also have to include user_attrs in pass_attrs field prefixed with "userdb_"
# string. For example:
#pass_attrs = uid=user,userPassword=password,homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
# Filter for password lookups
pass_filter = (&(objectClass=dbmailUser)(mail=%n@%d))
# Default password scheme. "{scheme}" before password overrides this.
# List of supported schemes is in: http://wiki.dovecot.org/Authentication
default_pass_scheme = CRYPT
# You can use same UID and GID for all user accounts if you really want to.
# If the UID/GID is still found from LDAP reply, it overrides these values.
#user_global_uid =
#user_global_gid =